Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec will not connect (racoon: couldn't find configuration)

    IPsec
    1
    1
    5.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      backbone
      last edited by

      Hey, guys.

      I'm having a problem with my IPSec configuration.
      On one side, everything works out pretty nice.
      On the other side, racoon is making bad noises about not finding a correct configuration.

      "ERROR: couldn't find configuration."

      However, if I kill racoon, and run it in the foreground with debug output on, I get some more information.

      2008-07-16 16:06:27: DEBUG: ===
      2008-07-16 16:06:27: DEBUG: 100 bytes message received from <remote_ip>[57413] to <local_ip>[500]
      2008-07-16 16:06:27: DEBUG:
      ba9d946f 3cf4cf90 00000000 00000000 01100200 00000000 00000064 0d000034
      00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c04b0
      80010005 80030001 80020002 80040002 00000014 afcad713 68a1f1c9 6b8696fc
      77570100
      2008-07-16 16:06:27: DEBUG: no remote configuration found.
      2008-07-16 16:06:27: ERROR: couldn't find configuration.

      The configuration is pretty straight forward, generated by pfSense.

      cat racoon.conf

      path pre_shared_key "/var/etc/psk.txt";

      path certificate  "/var/etc";

      remote <remote_ip>{
            exchange_mode main;
            my_identifier address "<gw on="" correct="" vlan="">";

      peers_identifier address <remote_ip>;
            initial_contact on;
            support_proxy on;
            proposal_check obey;

      proposal {
                    encryption_algorithm 3des;
                    hash_algorithm sha1;
                    authentication_method pre_shared_key;
                    dh_group 2;
                    lifetime time 2400 secs;
            }
            lifetime time 2400 secs;
      }

      sainfo address <local_network>any address <remote_network>any {
            encryption_algorithm 3des,blowfish,cast128,rijndael,rijndael 256;
            authentication_algorithm hmac_sha1,hmac_md5;
            compression_algorithm deflate;
            lifetime time 1200 secs;
      }

      Here is the weird thing; if I change that remote stanza to read

      remote anonymous {
      blah;
      }

      then everything works out nice, racoon even tells me it uses the anonymous stanza for that correct IP.

      2008-07-16 16:11:06: DEBUG: anonymous configuration selected for <remote_ip>.

      So, to me this seems really odd, how come racoon isn't picking up that stanza when configured like pfsense configures it ?
      Using the remote stanza is not what I really want, and either way I can't see a way to make pfsense generate one of those either.

      So, does anyone have any ideas on what is going on here ?
      Using tcpdump I can see that it is in fact my <remote_ip>that is coming through to racoon, on port 500/UDP.

      Thanks for a great product, by the way.</remote_ip></remote_ip></remote_network></local_network></remote_ip></gw></remote_ip></local_ip></remote_ip>

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.